CVE-2026-42046
Received Received - Intake
Integer Overflow Leading to Heap Overflow in libcaca

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, an integer overflow vulnerability in libcaca's canvas import functionality allows an attacker to cause a controlled heap out-of-bounds write (heap overflow) by supplying a crafted file in the "caca" format. Depending on the build configuration and memory allocator, this may lead to memory corruption or remote code execution. This is the same vulnerability as CVE-2021-3410 but the fix at that time was not fully correct. Commit fb77acff9ba6bb01d53940da34fb10f20b156a23 fixes this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-42046
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libcaca libcaca to 0.99.beta20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the libcaca library, which is used for creating color ASCII art. In version 0.99.beta20 and earlier, there is an integer overflow issue in the canvas import functionality. An attacker can exploit this by providing a specially crafted file in the "caca" format, which causes a controlled heap out-of-bounds write (heap overflow). This can lead to memory corruption or potentially remote code execution depending on the system's build configuration and memory allocator.

Impact Analysis

Exploiting this vulnerability can result in serious impacts such as memory corruption or remote code execution. This means an attacker could potentially execute arbitrary code on your system with the privileges of the vulnerable application, leading to system compromise, data loss, or unauthorized access.

Mitigation Strategies

To mitigate this vulnerability, you should update libcaca to a version that includes the fix from commit fb77acff9ba6bb01d53940da34fb10f20b156a23 or later.

Avoid processing untrusted or crafted files in the "caca" format until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42046. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart